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National Archives and Records Administration 




April 29, 2011 



The President 
The White House 
Washington, DC 20500 



Dear Mr. President: 



I am pleased to submit the Information Security Oversight Office's (ISOO) Report on Cost Estimates for 



Security Classification Activities for Fiscal Year 2010. 

This report provides information on the cost estimates of the security classification program as required 
by Executive Order 13526, "Classified National Security Information." It provides statistics and analysis 
concerning key components of the system from 41 Executive branch agencies. It also contains cost 
information with respect to industrial security in the private sector as required by Executive Order 12829, as 
amended, "National Industrial Security Program." The cost estimates from the Central Intelligence Agency, 
the Defense Intelligence Agency, the Office of the Director of National Intelligence, the National Geospatial- 
Intelligence Agency, the National Reconnaissance Office, and the National Security Agency, are compiled in 
a classified addendum to this report that is being transmitted separately. 

With the implementation of Executive Order 13526, costs for all areas of security classification increased 
during FY 2010. Sustaining and increasing investment in classification and security measures is necessary 
to maintain the classification system and is fundamental to the principles of transparency, participation, and 
collaboration. As ISOO oversees the trends in this system, we will continue to focus on enhancing the policy 
and guidance directed towards maintaining an efficient and effective classification management program. 



WILLIAM A. CIRA 
Acting Director 

Enclosure 

cc: Thomas Donilon 

Assistant to the President for National Security Affairs 



Respectfully, 




2010 REPORT TO THE PRESIDENT 

Cost Estimates for Security Classification Activities 



BACKGROUND AND 

Methodology 

The Information Security Oversight Office (ISOO) 
reports annually to the President on the estimated costs 
associated with agencies' implementation of Executive 
Order (E.O.) 13526, "Classified National Security 
Information," and E.O. 12829, as amended, "National 
Industrial Security Program." 

ISOO relies on the agencies to estimate the costs of 
the security classification system. Requiring agencies 
to provide exact responses to the cost collection 
efforts would be cost prohibitive. The collection 
methodology used in this report has consistently 
provided a good indication of the trends in total 
cost. It is important to note that absent any security 
classification activity, many of the expenditures 
reported would continue to be made in order to 
address other, overlapping security requirements. 

The Government data presented in this report were 
collected by categories based on common definitions 
developed by an Executive branch working group. The 
categories are defined below: 

Personnel Security: A series of interlocking and 
mutually supporting program elements that initially 
establish a Government or contractor employee's 
eligibility and ensure suitability for the continued access 
to classified information. 

Physical Security: That portion of security concerned 
with physical measures designed to safeguard and 
protect classified facilities and information, domestic, 
or foreign. 

Information Security: Includes four subcategories: 

Classification Management: The system of 
administrative policies and procedures for 
identifying, controlling, and protecting classified 
information from unauthorized disclosure, the 
protection of which is authorized by Executive 
order or statute. Classification Management 



encompasses those resources used to identify, 
control, transfer, transmit, retrieve, inventory, 
archive, or destroy classified information. 

Declassification: The authorized change in the 
status of information from classified information 
to unclassified information. It encompasses those 
resources used to identify and process information 
subject to the automatic, systematic, and mandatory 
review programs established by E.O. 13526, as 
well as discretionary declassification activities and 
declassification activities required by statute. 

Information Systems Security for Classified 
Information: An information system is a set of 
information resources organized for the collection, 
storage, processing, maintenance, use, sharing, 
dissemination, disposition, display, or transmission 
of information. Security of these systems 
involves the protection of information systems 
against unauthorized access to or modification 
of information, whether in storage, processing, 
or transit; and against the denial of service to 
authorized users, including those measures 
necessary to detect, document, and counter such 
threats. It can include, but is not limited to, the 
provision of all security features needed to provide 
an accredited system of computer hardware and 
software for protection of classified information, 
material, or processes in automated systems. 

Miscellaneous: Includes two subcategories: 

Operations Security (OPSEC): Systematic and 
proven process by which potential adversaries 
can be denied information about capabilities 
and intentions by identifying, controlling, and 
protecting generally unclassified evidence of the 
planning and execution of sensitive activities. 
The process involves five steps: identification of 
critical information, analysis of threats, analysis 
of vulnerabilities, assessment of risks, and 
application of appropriate countermeasures. 

Technical Surveillance Countermeasures 
(TSCM): Personnel and operating expenses 
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associated with the development, training 
and application of technical security 
countermeasures such as non-destructive and 
destructive searches, electromagnetic energy 
searches, and telephone system searches. 

Professional Education, Training, and Awareness: The 

establishment, maintenance, direction, support, and as- 
sessment of a security training and awareness program; 
the certification and approval of the training program; the 
development, management, and maintenance of train- 
ing records; the training of personnel to perform tasks 
associated with their duties; and qualification and/or 
certification of personnel before assignment of security 
responsibilities related to classified information. 

Security Management, Oversight, and Planning: 

Development and implementation of plans, procedures, 
and actions to accomplish policy requirements, 
develop budget and resource requirements, oversee 
organizational activities, and respond to management 
requests related to classified information. 

Unique Items: Those department specific or agency 
specific activities that are not reported in any of the 



primary categories, but are nonetheless significant and 
need to be included. 

Survey Results and 
Interpretation 

The total security classification cost estimate within 
Government for Fiscal Year (FY) 2010 is $10.17 
billion. This figure represents estimates provided 
by 41 Executive branch agencies, including the 
Department of Defense (DoD). It does not include the 
cost estimates of the Central Intelligence Agency, the 
Defense Intelligence Agency, the Office of the Director 
of National Intelligence, the National Geospatial- 
Intelligence Agency, the National Reconnaissance 
Office, and the National Security Agency. The cost 
estimates of these agencies are classified in accordance 
with Intelligence Community classification guidance 
and are included in a classified addendum to this report. 
The total security classification costs for Executive 
branch agencies increased $1.36 billion in FY 2010, an 
increase of 15 percent from FY 2009. 



Government Security Classification Costs FY 2010 



TOTAL 
Information Security 

Security Management, 
Oversight, and Planning 

Physical Security 

Personnel Security 

Professional Education, 
Training, and Awareness 

Unique Items 



$10,169,149,557 



$5,214,171,554 



$1,541,694,129 

$1,434,301,336 

$1,556,632,327 



Miscellaneous 
(OPSECand TSCM) 
$106,655,337 (2%) 

i \! 



$400,433,399 



$21,916,812 




Classification 
Management 
/ $364,220,066 (7%) 

Declassification 
$50,442,266 (1%) 



Information Systems Security 
for Classified Information 
$4,692,853,885 (90%) 
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For FY 2010, agencies reported $1.6 billion in estimated 
costs associated with Personnel Security, an increase of 
$343.2 million, or 28 percent. 

Estimated costs associated with Physical Security were 
$1.4 billion, an increase of $154 million, or 12 percent 
increase, from FY 2009. 

Estimated costs associated with Information Security 
were $5.2 billion. Information Security continues 
to be the main driver of all the costs, representing 
51 percent of the total security classification costs 
for FY 2010. There are four subcategories within 
Information Security: Classification Management, 
Declassification, Information Systems Security for 
Classified Information, and Miscellaneous (OPSEC and 
TSCM). Of these subcategories, Information Systems 
Security for Classified Information continues to be 
the most costly, at $4.7 billion, or 90 percent of esti- 
mated costs for Information Security. Classification 



Management costs showed an increase of $3.1 million, 
or 1 percent; Declassification costs increased $5.8 mil- 
lion, or 13 percent; Information Systems Security costs 
increased $430 million, or 10 percent; and Miscellaneous 
costs, which include OPSEC and TSCM, increased $0.5 
million, or 0.5 percent. Overall, Information Security 
increased $439.7 billion, a 9 percent increase. 

The FY 2010 estimated costs for Professional 
Education, Training, and Awareness were $400.4 
million, a $174.3 million, or 77 percent increase in 
costs from FY 2009. This significant increase was 
due primarily to additional resources required to 
update or create on-line training courses to meet the 
requirements of E.0. 13526. 

Estimated costs associated with Security Management, 
Oversight, and Planning were $1.5 billion. The costs 
for FY 2010 increased $238.3 million, an 18 percent 
increase over the FY 2009 costs. 



Government Security Classification Costs FY 1995 - FY 2010" 
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Although costs associated with Unique Items increased 
by $6.2 million, or 39 percent, this category continues 
to be the smallest at $21.9 million, less than 0.2 percent 
of the total. The increase in this category was mainly 
due to equipment upgrades. 

The three smaller subcategories of Information Security 
— Classification Management, Declassification, and 
Miscellaneous (OPSEC and TSCM) — were first reported 
separately in FY 2003. That year, they comprised 5.1 
percent of the total Government security classification 
costs. In FY 2010, they again comprised 5.1 percent of 



the total Government costs. From FY 1998, the first year 
Declassification costs were reported, through FY 2010, 
Declassification costs have decreased by $149.2 million. 
However, in FY 2010, spending on Declassification 
increased $5,796,455 (13 percent) over FY 2009 costs. 
Classification Management costs continue to increase 
slightly each year. From FY 1995 through FY 2010, 
these costs have increased by $52.2 million. In FY 2010, 
Classification Management increased $3 million, or 1 
percent. OPSEC and TSCM costs have increased $91.6 
million since they began to be reported as a separate 
category in FY 2003. 



Information Security Costs FY 1995 - FY 2010 
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*Prior to 1 998, Declassification costs were included in Classification Management costs. 
+ Prior to 2003, Miscellaneous (OPSEC and TSCM) costs were not reported. 
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Information Systems Security for Classified 
Information has been the most costly subcategory 
of Information Security, comprising more than 44 
percent of all the total costs yearly from FY 1995 
to FY 2009. Although in FY 2009 costs decreased, 
in FY 2010 costs in this category increased $430.3 
million or 10 percent. The increase was due to the 
establishment of new secure facilities, and the 
installation of secure communication systems. 

To fulfill the cost reporting requirements, a joint 
DoD and industry group developed a cost collection 
methodology for those costs associated with the use 



and protection of classified information within industry. 
For FY 2010, the Defense Security Service collected 
industry cost data and provided the estimate to ISOO. 

Cost estimate data are not provided by category 
because industry accounts for its costs differently 
than Government. Rather, a sampling method was 
applied that included volunteer companies from 
four different categories of facilities. The category 
of facility is based on the complexity of security 
requirements that a particular company must meet in 
order to hold and perform under a classified contract 
with a Government agency. 



Information Systems Security for Classified Information Costs FY 1995 - FY 2010 
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The FY 2010 cost estimate totals for industry pertain 
to the twelve-month accounting period for the most 
recently completed fiscal year of the companies that 
were part of the industry sample under the National 
Industrial Security Program. 



For most of the 843 companies included in the sample, 
December 31, 2010, was the end of the fiscal year. The 
estimate of total security classification costs for FY 2010 
within industry is $1.25 billion; an increase of $128.3 mil- 
lion from $1.12 billion in FY 2009, or 11 percent. 



Total Costs for Government and Industry FY 1995 - FY 2010 




Conclusion 

This year's estimate for Government and industry 
shows an increase of $1.5 billion or 15 percent. From 
FY 1995 through FY 2010, there was an increase 
of $5.8 billion in total costs. The average annual 



increase from FY 2002 through FY 2005 was 
$911.8 million compared to an average annual 
increase of only $485.2 million from FY 2006 
through FY 2010. 
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